Imagine you are testifying in court regarding a recent digital forensic examinat

Question

Imagine you are testifying in court regarding a recent digital forensic examination you conducted. Your direct examination goes very well, and you are just starting to relax when the defense attorney rises and begins to speak. However, to your surprise, he doesn’t want to talk about your report findings (at least not yet). He starts out by asking about your political leanings and affiliations. The prosecutor tries to object to this line of questioning, but is overruled. The defense attorney continues, claiming you run an online blog where you regularly post your political opinions, most strongly supporting the current government. You don’t like where this is going… He concludes by asking the following question: “It is clear from your blog posts that you are a staunch supporter of the government. Isn’t it true that you were just a police hack in this case, and you reported only what would help the government’s case against my client, who is being wrongly accused because of his political views?” How would you answer this question?

Explanation / Answer

But digital technology has changed all that in at least two significant ways.

First, this technology is allowing criminals direct access to our lives, as no proverbial right or wrong side of the tracks exists to divide the safe from the unsafe in cyberspace. Imagine that you go to a shopping mall and a criminal wants to rob you. In the recent past, that thief would have had to follow you to a vulnerable place and would have had to force you into surrendering your wallet. Now, armed with nothing more than a laptop computer and a wireless remote, that thief can use a "sniffer" program to access the credit card payment systems used by the store that just swiped your credit card. Unwittingly, you have just electronically surrendered your name, your card number, and other private information in the store's computers. This high-tech thief can snatch your financial information electronically from the convenience and safety of his or her car just outside of a business that has not secured its network from wireless hacking. If he or she were especially savvy, only a few dollars would be removed from your account at one time, remaining undetected by you. To bring the example home: one suspect in this country was found in possession of financial information of more than 1,000,000 people. (Interview with Agent M.H., Federal Bureau of Investigation, in New Orleans, La. (Nov. 19, 2003).)

Second, digital technology has introduced crime as a career to many who previously may have found that committing crimes the old-fashioned way, such as robbing or kidnapping, involved too much work or risk. Gaining the trust of a seventh grader via e-mail and then arranging to meet in a secret place to behave inappropriately is, frankly, achievable for many pedophiles who, when faced with having to physically kidnap a person and force the individual to comply, might not have the wherewithal to commit the crime. In short, to the extent that technology makes things easier, one of those things made easier is crime.

Albert Einstein said that "[t]echnological progress is like an axe in the hands of a pathological criminal." (THE QUOTATIONS PAGE, available at www.quotationspage.com.) And so it appears that technology, in addition to enhancing our lives in wondrous ways, has become a dangerous tool used by twenty-first century criminals. Both technology and law enforcement analysts warn that use of technology to perpetrate or support crime will only increase as the ingenuity of criminals grows along with the rapid development of technological devices and electronic communication. All kinds of criminals are getting into the act: from identity thieves to drug dealers; from terrorists to pedophiles; from money-laundering schemers to slick con artists; from those who turn to crime out of desperation to fill an unmet desire to those just-because-I-can criminals, such as computer virus launchers, who create chaos for sport. To protect society, law enforcement must keep up with the moving target of criminal technological advances and find efficient and ingenious ways to combat them, a goal not very easily accomplished.

But there is hope. Evidence of criminal activity is often left behind-by sophisticated high-tech criminals as well as regular thugs who just happen to use cell phones or e-mail-that can be used to help prosecute perpetrators and put them behind bars. The potential to mine evidence from technology is crying out for the training of law enforcement officers to recognize technological devices at a scene that might contain crucial information to help prosecute a criminal. Once the device potentially containing digital evidence-that is, electronic information that is either stored or transmitted in binary systems consisting of zeros and ones-is found, it must be properly collected and transported to an appropriate digital forensics laboratory. There, digital forensics analysts who have the knowledge and experience to uncover the evidence without compromising its integrity or credibility at trial must analyze the technological devices and prepare any evidence obtained for court. Just as a strand of DNA is carefully extracted from a blood stain on a piece of broken glass that was properly collected and preserved from even the appearance of any spoliation or tampering, so too must the time of a phone call be competently removed from the chip in a properly seized cell phone.

Unfortunately, rarely do law enforcement officials fully recognize the potential for technological evidence to help solve crimes and prosecute criminals. Although training programs, similar to police academies, educate the people who are most likely to be the first to encounter potential evidence, too few programs provide meaningful training on the searching, seizing, and preservation of technological devices that may contain electronic forensics evidence. The culture of law enforcement, especially on the street, tends to be more focused on the physical demands of the job and on the collection and inspection of nontechnological evidence, such as bullets and fingerprints. But as criminals incorporate technology into their repertoire of crimes, so must officers, investigators, prosecutors, and even judges increase their knowledge of technology, especially with respect to courtroom evidence, in their respective roles of upholding justice.

The positive news is that the need for digital forensics training and laboratories is beginning to be recognized and met. For example, an innovative test site, the Gulf Coast Computer Forensics Laboratory, located in New Orleans, serves law enforcement agencies by providing research and development, training programs, and community awareness. It was initiated through the University of New Orleans with start-up funding from the National Institute of Justice and is managed by the University's Center for Society, Law and Justice. The laboratory, where digital forensics analysts use near-surgical skills to extract information from technological devices, is at once state-of-the-art and no-frills. No expense was spared on creating an environment of credibility and high integrity. To note just one example, cameras and electronic door monitors record exactly who is where with what piece of evidence at all times. Yet, with limited resources and its focus on discovering digital evidence, most walls remain bare and the carpet and desks lack any design flair. This laboratory is the largest of its kind in the southern United States and, if sustained, will be available for use by all area law enforcement agencies. But state-of-the-art labs like this are needed in every region, if not in every major city.

Much effort and specialized training of law enforcement and forensics experts over the years have developed the process of preserving and analyzing forensic evidence-fingerprinting, hair and blood analysis, DNA, ballistics, etc.-a process that criminal law has come to rely on today. Likewise, more training and resources are needed, especially in the form of more laboratories and research centers, for the practice of criminal law to benefit from electronic forensic evidence in the future. If the culture of criminal law can be convinced of the need to appreciate the extent of infiltration of technology into crime and evidence, and if a credible process for collecting and analyzing electronic forensic evidence can be established throughout the nation, technological evidence will become routinely instrumental in helping to prosecute both cyber-criminals along with traditional criminals who use technology to support elements of their crimes.

Electronic evidence: Ever present, not easily removed

Anyone and everyone-even a sophisticated hacker-using a computer for any kind of activity leaves behind potential electronic evidence. As we shop, research, and communicate over the Internet, and as we use computers, personal digital assistants, cell phones, and other devices to store, transmit, and retrieve information at home and at work, we are placing into electronic form private, sensitive, and even incriminating information that is getting stored in various databases such as Internet-connected servers, work-related networks, and on computer hard drives. This electronic trail can serve as powerful legal evidence against a suspected criminal, as it reveals highly probative "digital fingerprints" that can potentially be used to prove civil wrongs or criminal activity in a court of law.

"Technological devices contain all sorts of electronic evidence that can reveal a wide array of information," said Dr. Peter Scharf, cofounder of the Gulf Coast Computer Forensics Laboratory. "Criminal associations, for example, might be suggested by e-mail communications, writings about money-laundering schemes or terrorist plots, or spreadsheets of the division of criminal profits." He added that digital cameras or devices that store photography and video could contain still or moving pictures, for example, that evidence criminal pedophile activity, with date and time stamps to boot.

"Think of what is now stored and performed electronically," Scharf said. "Personal e-mail messages, online purchases, interactive Internet games, and other activities that involve thousands of people at once may be used to facilitate drug drops or even terrorist planning. Many criminals have left technological clues as to what crimes they have committed, be they economic fraud, computer intrusion, domestic violence, terrorist threats, harassment, stalking, extortion, gambling, identity theft. . . . The list is endless."

Technology has become such an integral part of life, with millions of people worldwide using a digital device of some sort daily. Many have been used for so long that their users do not realize that they contain electronic evidence. Printers and copiers, for example, once very basic in design, now record and store much detailed information, such as a version of all documents that have been printed or copied, under what pass code the machine was operated, and the date and time of printing or copying. All sorts of devices have digital signatures that are overlooked. Examples include digital watches, caller identification boxes, global positioning systems, and Web television. Pagers, cell phones, and answering machines store information such as voice messages, call time and date, lists of all made and received calls, and even messages their users thought had been deleted. Even simple word processing documents contain not only the latest version of the text, but by hitting the "undo" button (to undo each of the edits) on some word processing programs that are not properly closed, it is possible to see all of the editing changes the author made to a document. All of these methods can provide a wealth of information about criminal activities, especially with respect to conspiracies, organized crime, and terrorist plots, where communication often is a necessary or fundamental part of the crime.

Unlike the act of simply smudging one's fingerprints at a crime scene in an attempt to hide or destroy that kind of physical forensic evidence, it is not easy to eliminate electronic forensic evidence. For example, e-mail is convenient and immediate, but its nature is misleading. Many people who send and receive e-mails in the privacy of their home or office begin to feel comfortable using this means to share information they consider private. Imagine an e-mail message between two criminals about a drug distribution conspiracy, containing the time and place of a particular drug transaction. After the critical information is exchanged, the two delete the messages on their respective computers to hide the communication and then proceed with the deal. Much to the consternation of these particular criminals-and to many sharers of e-mail one might assume-the act of clicking the delete button does not eliminate the information like a paper shredder physically destroys a document. Deleting a file or document by sending it to the "recycle bin" or "trash" merely sends it to another part of the computer hard drive. Even when the recycle bin or trash subdirectory is "emptied," the file or document is often maintained in a compressed form on the computer's hard drive, and thus is recoverable. That process may well require the expertise of a specialized laboratory or research center, using uncommon software, but it is no longer impossible. Similar to the law of physics that states energy is never really destroyed but simply converted to another form, electronic evidence, even if "deleted," often lives on indefinitely, deep in digital memory banks. Eventually, it might be overwritten, but not nearly as soon as one might suspect.

To wipe out some of the compressed information, criminals would have to reformat their hard drives. (This is not overly difficult, but it is time consuming and does not wipe out all data.) The only way to completely wipe out all information is to totally destroy the computer. And, even then, the e-mail message still could be stored in any or all of the network servers or Internet service providers (ISPs) used to send or receive that e-mail. Thus, irrespective of the computer hard drives, the e-mailed information would often be retrievable for a certain amount of time from network servers or ISPs, which act like way stations or relay posts for the e-mail communiqués, often keeping copies of the files and messages that pass through them, depending upon the provider.

Portable devices such as electronic organizers and memory cards that can fit into wallets or worn in lockets can contain the same information as a personal computer but allow for greater transportability of that information, for ease of smuggling or destroying them, if necessary. One or both of the criminals who exchanged e-mails might have saved the drug transaction information to a floppy disk, compact disk, or other remote memory device to keep it off of their hard drives. But unless those portable storage devices are also physically destroyed, they can be recovered and, if properly collected and analyzed, they too can produce credible evidence against their users. Hence, portable technological devices should be removed from the personal possession of a suspect during an arrest with the same care and preservation as an address book or a potential weapon.

Any hard drive that was used to view or edit the information, on a remote memory device such as a library computer used to access the information from a memory card or a printer used to make a hard copy from a compact disk, could have saved copies of the information, making it retrievable. One may even recover information about how an e-mail was created, or even retrieve the keystrokes used to draft a message, notwithstanding that the e-mail was never stored or saved as a document or file on a hard drive. This is especially true if law enforcement officers had been able to install a "spy" software program beforehand, which secretly records every keystroke made on the computer.

Given all of these possible repositories of electronic evidence of criminal activity, a growing number of law enforcement agencies now understand the potential to recover this evidence from technological devices and have begun to send their officers and agents to training programs, if available, to learn how to take advantage of it. Not only must this evidence be collected in such a manner as to avoid being suppressed at trial, it must also be analyzed carefully to fend off any claims of spoliation or tampering. It therefore becomes absolutely critical for all levels of law enforcement to be fully equipped, qualified, and trained to collect, search, and analyze electronic forensic evidence in a manner that maintains forensic integrity and thereby renders key evidence admissible at trial. The justice system has learned the lesson from the O.J. Simpson trial: even if evidence is deemed admissible, small forensic mistakes can doom otherwise powerfully credible evidence at trial.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.